<html>
<head><meta charset="utf-8"><title>async and HTTP client rant · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html">async and HTTP client rant</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="184971156"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/184971156" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#184971156">(Jan 07 2020 at 00:18)</a>:</h4>
<p>I have a draft of a new post on my personal block, I'd appreciate pre-reading and feedback: <a href="https://medium.com/@shnatsel/smoke-testing-rust-http-clients-b8f2ee5db4e6" target="_blank" title="https://medium.com/@shnatsel/smoke-testing-rust-http-clients-b8f2ee5db4e6">https://medium.com/@shnatsel/smoke-testing-rust-http-clients-b8f2ee5db4e6</a></p>



<a name="184973458"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/184973458" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#184973458">(Jan 07 2020 at 01:05)</a>:</h4>
<p>Well, I've just learned that <a href="https://crates.io/crates/attohttpc" target="_blank" title="https://crates.io/crates/attohttpc">https://crates.io/crates/attohttpc</a> is a thing, I guess I have still more testing and writing to do</p>



<a name="184978418"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/184978418" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#184978418">(Jan 07 2020 at 03:07)</a>:</h4>
<p>Please disregard that, looks like I will be rewriting that</p>



<a name="184978994"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/184978994" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#184978994">(Jan 07 2020 at 03:22)</a>:</h4>
<p>I'm definitely interested in minimalist security-oriented HTTP clients</p>



<a name="184978996"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/184978996" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#184978996">(Jan 07 2020 at 03:22)</a>:</h4>
<p>particularly ones which use rustls by default</p>



<a name="184979136"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/184979136" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Wesley Moore <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#184979136">(Jan 07 2020 at 03:26)</a>:</h4>
<p>Interesting post Shnatsel. In, "Here are two probably-exploitable bugs that are still unpatched in the latest version of libcurl: 1, 2." the second link is in a unit test so might not apply.</p>



<a name="184984095"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/184984095" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#184984095">(Jan 07 2020 at 05:43)</a>:</h4>
<p>Good catch, thanks!</p>



<a name="184984154"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/184984154" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#184984154">(Jan 07 2020 at 05:45)</a>:</h4>
<p>I'm re-running the test on attohttpc now, will put in the results and rewrite conclusion</p>



<a name="184984158"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/184984158" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#184984158">(Jan 07 2020 at 05:45)</a>:</h4>
<p>Also turns out <a href="https://crates.io/crates/http_req" target="_blank" title="https://crates.io/crates/http_req">https://crates.io/crates/http_req</a> is a thing, even has some downloads unlike the other 2 sync clients</p>



<a name="185044728"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185044728" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185044728">(Jan 07 2020 at 19:25)</a>:</h4>
<p>Also I think I need a better title for this post</p>



<a name="185045171"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185045171" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185045171">(Jan 07 2020 at 19:29)</a>:</h4>
<p>huh, another one</p>



<a name="185045187"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185045187" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185045187">(Jan 07 2020 at 19:29)</a>:</h4>
<p>I wrote one of these but it barely works and I'd like to abandon it</p>



<a name="185045190"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185045190" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185045190">(Jan 07 2020 at 19:29)</a>:</h4>
<p>heh</p>



<a name="185045218"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185045218" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185045218">(Jan 07 2020 at 19:29)</a>:</h4>
<p><a href="https://crates.io/crates/harp" target="_blank" title="https://crates.io/crates/harp">https://crates.io/crates/harp</a></p>



<a name="185049857"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185049857" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185049857">(Jan 07 2020 at 20:12)</a>:</h4>
<p>There's also <a href="https://crates.io/crates/cabot" target="_blank" title="https://crates.io/crates/cabot">https://crates.io/crates/cabot</a></p>



<a name="185057181"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185057181" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185057181">(Jan 07 2020 at 21:33)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> ureq got a <a href="https://github.com/dpc/crev-proofs/commit/42a3b5c5d6c0fc6e49f344fb89208454ffd6fc81" target="_blank" title="https://github.com/dpc/crev-proofs/commit/42a3b5c5d6c0fc6e49f344fb89208454ffd6fc81">bad crev rating</a> the first time around, has the situation gotten better since then?</p>



<a name="185057247"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185057247" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185057247">(Jan 07 2020 at 21:34)</a>:</h4>
<p>Yes, I believe most points from that review are addressed</p>



<a name="185057291"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185057291" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185057291">(Jan 07 2020 at 21:34)</a>:</h4>
<p>I am rewriting my article to be even more nihilistic now because I've found that none of the sync crates allow specifying a timeout for the entire request, so they're all trivial to DoS</p>



<a name="185057480"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185057480" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185057480">(Jan 07 2020 at 21:37)</a>:</h4>
<p>the version you linked up there has been a fun read, good job :)</p>



<a name="185057502"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185057502" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185057502">(Jan 07 2020 at 21:37)</a>:</h4>
<p>though even more nihilistic might be hard to swallow^^</p>



<a name="185057612"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185057612" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185057612">(Jan 07 2020 at 21:38)</a>:</h4>
<p>(for my pet projects I used attohttpc instead of ureq based on that crev comment, maybe I should switch. but then, they're just toys, and I am not sure if I want to play type golf again until I figured out how to get a <code>Read</code> trait out of the response^^)</p>



<a name="185057696"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185057696" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185057696">(Jan 07 2020 at 21:39)</a>:</h4>
<p>I have run attohttpc through the same test but haven't looked at the results yet. My gripe with attohttpc is that it doesn't support rustls, only openssl or native-tls</p>



<a name="185057737"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185057737" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185057737">(Jan 07 2020 at 21:39)</a>:</h4>
<p>plus it pulls in the same hand-rolled hashmap advertised as HTTP types, but I guess I can live with that</p>



<a name="185057983"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185057983" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185057983">(Jan 07 2020 at 21:42)</a>:</h4>
<p><span class="user-mention" data-user-id="120791">@RalfJ</span> btw you will probably appreciate this gem:<br>
<a href="https://github.com/actix/actix-net/blob/7dddeab2a8c4fdcd0c7de6aa4303aca8faffcd53/actix-service/src/cell.rs#L40" target="_blank" title="https://github.com/actix/actix-net/blob/7dddeab2a8c4fdcd0c7de6aa4303aca8faffcd53/actix-service/src/cell.rs#L40">https://github.com/actix/actix-net/blob/7dddeab2a8c4fdcd0c7de6aa4303aca8faffcd53/actix-service/src/cell.rs#L40</a><br>
and this:<br>
<a href="https://github.com/actix/actix-net/blob/7dddeab2a8c4fdcd0c7de6aa4303aca8faffcd53/actix-service/src/cell.rs#L35" target="_blank" title="https://github.com/actix/actix-net/blob/7dddeab2a8c4fdcd0c7de6aa4303aca8faffcd53/actix-service/src/cell.rs#L35">https://github.com/actix/actix-net/blob/7dddeab2a8c4fdcd0c7de6aa4303aca8faffcd53/actix-service/src/cell.rs#L35</a></p>



<a name="185058016"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185058016" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185058016">(Jan 07 2020 at 21:43)</a>:</h4>
<p>the <code>allow(clippy::mut_from_ref)</code> is great^^</p>



<a name="185058099"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185058099" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185058099">(Jan 07 2020 at 21:44)</a>:</h4>
<p>though this does have interior mutability, so if used correctly this could avoid UB</p>



<a name="185058352"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185058352" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185058352">(Jan 07 2020 at 21:47)</a>:</h4>
<p>wait... <code>get_mut</code> makes no sense, does it? <code>&amp;mut Rc&lt;T&gt;</code> doesnt mean we can safely get mutable access to the interior.</p>



<a name="185058362"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185058362" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185058362">(Jan 07 2020 at 21:47)</a>:</h4>
<p>Ah, so the <code>&amp;T</code> to <code>&amp;mut T</code> transmute in here is actually okay because they are doing this to an <code>UnsafeCell</code>?</p>



<a name="185058423"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185058423" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185058423">(Jan 07 2020 at 21:48)</a>:</h4>
<p>Of course it makes no sense, they're trying to use a hand-rolled Cell as a RefCell</p>



<a name="185058433"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185058433" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185058433">(Jan 07 2020 at 21:48)</a>:</h4>
<p>which it isn't</p>



<a name="185058437"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185058437" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185058437">(Jan 07 2020 at 21:48)</a>:</h4>
<p>it's not doing such a transmute, is it? it's calling <code>UnsafeCell::get</code></p>



<a name="185058472"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185058472" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185058472">(Jan 07 2020 at 21:48)</a>:</h4>
<p>which is the one oaky way to go from <code>&amp;UnsafeCell&lt;T&gt;</code> to <code>&amp;mut T</code> <em>if</em> you can assure uniqueness</p>



<a name="185058506"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185058506" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185058506">(Jan 07 2020 at 21:49)</a>:</h4>
<p>but, making <code>get_mut</code> safe just seems entirely wrong, this is like <code>Rc::get_mut</code> but without the check that the refcount is 1...</p>



<a name="185058526"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185058526" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185058526">(Jan 07 2020 at 21:49)</a>:</h4>
<p>Yep, the entire reason why <code>std::Cell</code> doesn't have <code>get_mut()</code> is because you need <code>RefCell</code> to guarantee uniqueness</p>



<a name="185058587"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185058587" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185058587">(Jan 07 2020 at 21:50)</a>:</h4>
<p>not sure what you mean? <a href="https://doc.rust-lang.org/nightly/std/cell/struct.Cell.html#method.get_mut" target="_blank" title="https://doc.rust-lang.org/nightly/std/cell/struct.Cell.html#method.get_mut">https://doc.rust-lang.org/nightly/std/cell/struct.Cell.html#method.get_mut</a></p>



<a name="185058622"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185058622" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185058622">(Jan 07 2020 at 21:50)</a>:</h4>
<p>hmm, let me rethink that</p>



<a name="185058624"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185058624" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185058624">(Jan 07 2020 at 21:50)</a>:</h4>
<p>the thing it doesnt have is <code>RefCell</code>'s <code>borrow_mut</code></p>



<a name="185058691"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185058691" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185058691">(Jan 07 2020 at 21:51)</a>:</h4>
<p>but the thing is, actix' <code>Cell</code> is an <code>Rc</code>, so the <code>&amp;mut</code> doesnt mean anything</p>



<a name="185058768"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185058768" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185058768">(Jan 07 2020 at 21:52)</a>:</h4>
<p>that's why <code>std:::Cell:get_mut</code> makes sense, but this one doesn't</p>



<a name="185063203"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185063203" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185063203">(Jan 07 2020 at 22:46)</a>:</h4>
<p>oh cool, <a href="https://crates.io/crates/cabot" target="_blank" title="https://crates.io/crates/cabot">https://crates.io/crates/cabot</a> is actually async and uses async-std under the hood. I'll have to try that</p>



<a name="185063548"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185063548" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185063548">(Jan 07 2020 at 22:51)</a>:</h4>
<p>I don't get the point of that</p>



<a name="185063552"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185063552" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185063552">(Jan 07 2020 at 22:51)</a>:</h4>
<p>if that's what you want, why not <code>surf</code>?</p>



<a name="185063626"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185063626" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185063626">(Jan 07 2020 at 22:52)</a>:</h4>
<p>does it have significantly fewer dependencies?</p>



<a name="185066092"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185066092" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185066092">(Jan 07 2020 at 23:28)</a>:</h4>
<p><code>surf</code> has every async dependency under the sun, <em>except</em> <code>async-std</code></p>



<a name="185078332"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185078332" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185078332">(Jan 08 2020 at 03:37)</a>:</h4>
<p>oh weird, I guess it's only a dev-dependency?</p>



<a name="185750219"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185750219" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185750219">(Jan 15 2020 at 22:14)</a>:</h4>
<p>Here's the final draft of the article, i.e. this is what's going to be on reddit tomorrow if you don't stop me:<br>
<a href="https://medium.com/@shnatsel/smoke-testing-rust-http-clients-b8f2ee5db4e6" target="_blank" title="https://medium.com/@shnatsel/smoke-testing-rust-http-clients-b8f2ee5db4e6">https://medium.com/@shnatsel/smoke-testing-rust-http-clients-b8f2ee5db4e6</a><br>
Proofreading is <em>very</em> welcome.</p>



<a name="185789676"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185789676" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Yerkebulan Tulibergenov <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185789676">(Jan 16 2020 at 06:35)</a>:</h4>
<p>I loved it! You wrote sever instead of server in one place, purpoise instead of purpose in another. Since you mention Go in the end, would you be able to run the same experiment with it for fun?</p>



<a name="185814722"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185814722" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185814722">(Jan 16 2020 at 13:35)</a>:</h4>
<p>Thanks! I am rather tired of doing this after performing and analyzing 10+ runs, so I'll leave trying Go as an exercise to the reader.</p>



<a name="185853742"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185853742" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185853742">(Jan 16 2020 at 20:02)</a>:</h4>
<p>Finalized and posted: <a href="https://medium.com/@shnatsel/smoke-testing-rust-http-clients-b8f2ee5db4e6" target="_blank" title="https://medium.com/@shnatsel/smoke-testing-rust-http-clients-b8f2ee5db4e6">https://medium.com/@shnatsel/smoke-testing-rust-http-clients-b8f2ee5db4e6</a><br>
Thanks for all the help!</p>



<a name="185870066"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/185870066" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#185870066">(Jan 16 2020 at 22:45)</a>:</h4>
<p>Wow, I'm getting some high praise on Reddit! <a href="https://www.reddit.com/r/rust/comments/epoloy/ive_smoketested_rust_http_clients_heres_what_i/" target="_blank" title="https://www.reddit.com/r/rust/comments/epoloy/ive_smoketested_rust_http_clients_heres_what_i/">https://www.reddit.com/r/rust/comments/epoloy/ive_smoketested_rust_http_clients_heres_what_i/</a></p>



<a name="186001300"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/186001300" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#186001300">(Jan 18 2020 at 16:13)</a>:</h4>
<p>Hmm, this is having some profound consequences: <a href="https://words.steveklabnik.com/a-sad-day-for-rust" target="_blank" title="https://words.steveklabnik.com/a-sad-day-for-rust">https://words.steveklabnik.com/a-sad-day-for-rust</a><br>
I'm very much open to input on how I could have done better. I've already solicited feedback elsewhere, but wanted to post here too.</p>



<a name="186001665"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/186001665" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#186001665">(Jan 18 2020 at 16:24)</a>:</h4>
<p>I think the tone was harsh but at least it focused on the code.  The harshness was compounded by the follow up from others.</p>



<a name="186001668"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/186001668" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#186001668">(Jan 18 2020 at 16:24)</a>:</h4>
<p>For me that was the real problem.  The follow up became really personal and turned into direct attacks</p>



<a name="186001794"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/186001794" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#186001794">(Jan 18 2020 at 16:28)</a>:</h4>
<p>Doesn't mean there isn't room to improve</p>



<a name="186001889"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/186001889" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> centril <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#186001889">(Jan 18 2020 at 16:31)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> I think your post was fair, accurate, and necessary. I don't think you are to blame.</p>



<a name="186001893"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/186001893" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> centril <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#186001893">(Jan 18 2020 at 16:31)</a>:</h4>
<p>and I'm sorry for the abuse leveled at you.</p>



<a name="186002086"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/186002086" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#186002086">(Jan 18 2020 at 16:36)</a>:</h4>
<p>Maybe it would be a good time to talk about guidelines on how to present posts like this?  We've all had issues where other developers have trouble accepting security related bug reports especially when there isn't a clear POC to come along with it.  Hopefully in the future there will be others filing the bugs and writing these posts too.  And guidance goes a long way then</p>



<a name="186002096"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/186002096" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#186002096">(Jan 18 2020 at 16:37)</a>:</h4>
<p>I'm glad you brought this up too. Retrospection is such a good and healthy thing, for all of us</p>



<a name="186002984"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/186002984" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#186002984">(Jan 18 2020 at 17:02)</a>:</h4>
<p><span class="user-mention" data-user-id="126931">@centril</span> there is very little abuse levelled at me, actually. I got called a zealot, what, once? For an article with 25,000 views that's <em>nothing.</em><br>
I am my own worst critic.</p>



<a name="186003091"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/186003091" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#186003091">(Jan 18 2020 at 17:04)</a>:</h4>
<p>There's bound to be <em>some</em> abuse and negativity at these exposure levels. It's a simple matter of probability. I have elaborated on it more here: <a href="https://www.reddit.com/r/rust/comments/eq11t3/a_sad_day_for_rust/feo2eh4/" target="_blank" title="https://www.reddit.com/r/rust/comments/eq11t3/a_sad_day_for_rust/feo2eh4/">https://www.reddit.com/r/rust/comments/eq11t3/a_sad_day_for_rust/feo2eh4/</a></p>



<a name="186003103"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/186003103" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> centril <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#186003103">(Jan 18 2020 at 17:05)</a>:</h4>
<p>Yeah I agree wrt. "probability"</p>



<a name="186003272"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/186003272" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#186003272">(Jan 18 2020 at 17:09)</a>:</h4>
<p><span class="user-mention" data-user-id="132722">@Stuart Small</span> I absolutely agree that we need clear guidelines on what the demarcation and contracts between safe and unsafe Rust should be. But it's already described in detail in the very first chapter of the Nomicon: <a href="https://doc.rust-lang.org/nomicon/safe-unsafe-meaning.html" target="_blank" title="https://doc.rust-lang.org/nomicon/safe-unsafe-meaning.html">https://doc.rust-lang.org/nomicon/safe-unsafe-meaning.html</a></p>



<a name="186013542"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/186013542" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#186013542">(Jan 18 2020 at 22:00)</a>:</h4>
<p>I was thinking more of guidelines for the community in approaching security issues than use of unsafe guidelines.  The author had already made it pretty clear where he stands on unsafe use (and a few other software engineering best practices) and I don’t think more documentation of best practices would change that.  I think we should look more at how we can meet maintainers where they are.  </p>
<p>I think we’ve all run into situations where we’ve reported a vulnerability to a maintainer, company or other engineer in our org and gotten a negative reaction.  Sometimes dismissal, denial or flat out hostility.  It isn’t surprising.  I think most engineers believe they write high quality secure code and unsurprisingly get defense when someone shows up saying otherwise.  When faced with a bug report there are usually pretty clear repro steps it is easier to accept the mistake.  Often security vulnerabilities don’t have those clear steps or they come with a lot of conditionals.  Without POC exploit code, or POC code that relies on a situation the engineer sees as realistic, they might push back or ignore the patch.</p>
<p>Also there will always be libraries that don’t match what we view as proper security posture.  Either they don’t care (ESR’s add a segfault handlers to silence fuzzer reports), they have other interests (willing to accept the risk of deadlocks for higher throughput ie the hyper example), not viewing the ability to trigger UB through misuse of library APIs as a library bug, or something else.  It is okay if other libraries have a different threat model than we do, but when that happens we should think about how to communicate this difference to the community in a respectful way.</p>
<p>Part of the objection I saw several people brought up was the heavy editorialize of code quality when reviewing the libraries.  Whether the criticism were right or wrong it rubbed people the wrong way.  We often find ourselves diving into some of the darker, dustier parts of codebases that a lot of people can ignore and this can lead to a lot of cynicism about the code.  Having that come through in writing, especially a long form piece like this, can be really hard to avoid. </p>
<p>To be fair, when I first read the post when you posted it in here I didn’t see a problem with the writing.  I thought it was an interesting and well written article.  I still don’t think it was the heart of what went wrong but it was a contributing factor.    It was a minor one and an unintentional one but was still part of the chain of events.</p>
<p>I think out of this we can look at improving on a couple different fronts:</p>
<ol>
<li>If clear bugs are found how they can be communicated without causing a stir?    </li>
</ol>
<p>I’ll be honest, I’m not even positive on best practices on communicating security issues in open source.  Most of my career has been working within corporate walled gardens and working out on the open is a strange feeling.  Inside a corporation I am a lot less worried about other’s feelings than public posts on the internet.  How can we communicate opinions on quality in a way that doesn’t put people on the defensive?  When should we reach out to a maintainer in private? When should we elevate an issue to a RUSTSEC filing?</p>
<p>While part of this is problem is how bug reports are communicated, educating the community is another huge part. The lines between soundness error, UB and RCE started getting blurring in some of those comment sections because of some uninformed commenters.  Some educational blog posts on fundamentals to point to could go a long way in stopping mobs forming on reddit.  We take a lot of this for granted but others will find it useful.</p>
<ol start="2">
<li>If there is a crate is not designed with security in mind how can this be communicated to the community without generating hostility?</li>
</ol>
<p>This is one I’ve been thinking about a lot.  The unsafe issues with actix have been known for a while but haven’t been communicated in the healthiest way.  It became a bit of a meme on reddit which helped more users find out about it but also lead to this problem.  How can we communicate something like this to the community without repeat of what happened?  This will involve talking about how users evaluate dependencies.  Are they checking cargo crev?  What about cargo gieger? Are a series of “closed will not fix” UB issues in the tracker enough to scare people away?  Do users care if their dependencies heavily use unsafe?  I don’t know the answer here but have a couple ideas.</p>



<a name="186013552"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/186013552" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#186013552">(Jan 18 2020 at 22:00)</a>:</h4>
<p>Bit of a monologue.  Sorry I dropped off earlier.  I literally got a page right after I sent the earlier message.  Today has been weird.</p>



<a name="186017609"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/186017609" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#186017609">(Jan 19 2020 at 00:08)</a>:</h4>
<p>Thanks for sharing your thoughts. I did not have the time to carefully read and fully understand this yet, but I will do so later.</p>



<a name="186045140"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/186045140" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#186045140">(Jan 19 2020 at 15:57)</a>:</h4>
<p>this has been bumming me out. mostly because I feel the responses to it have been so bad. Steve's post is probably the best one...</p>



<a name="186045186"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/186045186" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#186045186">(Jan 19 2020 at 15:58)</a>:</h4>
<p>"unsafety" seems like a red herring people are diving for enthusiastically, overlooking the real problem IMO was the mob mentality, plastering every GitHub comment with emoji, etc</p>



<a name="186045202"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/186045202" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#186045202">(Jan 19 2020 at 15:59)</a>:</h4>
<p>but everyone is rushing to have a hot take where they identify their particular axe to grind as The Thing That Went Wrong</p>



<a name="186045600"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/186045600" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#186045600">(Jan 19 2020 at 16:11)</a>:</h4>
<p>Yeah, the dogpiling seems like the real issue. And it's sadly incredibly common, basically anytime a specific github issue is on reddit/Orange Website/goes viral on twitter/etc. it seems to happen.</p>
<p>Github has better tools now than it did 5 years ago, but I'm not sure tooling can be a sufficient solution</p>



<a name="186045611"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/186045611" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#186045611">(Jan 19 2020 at 16:11)</a>:</h4>
<p>I think there's an interesting question of "are there things that can be done in our unsafety work to discourage dogpiling", but  I don't have an answer to that.</p>



<a name="186045661"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/186045661" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#186045661">(Jan 19 2020 at 16:12)</a>:</h4>
<p>I totally agree.  If I wanted to point to <em>one thing</em> it was reddit culture and moderation.  I heard one idea of banning posting links to GitHub issues and I really like that idea.  It's small, enforceable and would have direct impact.</p>
<p>I didn't want to bring any of that because it is outside the scope of this group.  I think we do have things we can do to help though</p>



<a name="186045800"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/186045800" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#186045800">(Jan 19 2020 at 16:16)</a>:</h4>
<p>That seems like a really big hammer. It's very useful to be able to share a link to an issue in response to a question someone has!</p>
<p>It seems like what you want, which isn't possible ATM, is links to github issues from reddit to have a mandatory backoff time before you can comment via that link. You want the roadblock to dogpiling.</p>



<a name="186045802"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/186045802" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#186045802">(Jan 19 2020 at 16:16)</a>:</h4>
<p>s/roadblock/speedbump/</p>



<a name="186046232"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/186046232" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#186046232">(Jan 19 2020 at 16:31)</a>:</h4>
<p>I think a simple thing GitHub could do is remove the non-affirming emoji</p>



<a name="186046272"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/186046272" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#186046272">(Jan 19 2020 at 16:32)</a>:</h4>
<p>because when people come from upboat/downboat-driven sites like Reddit or HN, they use the emoji as if they were on Reddit or HN...</p>



<a name="186046286"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/186046286" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#186046286">(Jan 19 2020 at 16:32)</a>:</h4>
<p>That's another really big hammer, there's lots of valid use cases for those! At work we do lots of voting on things like "which snacks should we buy for the office" with github emoji. (This makes me so happy)</p>



<a name="186046298"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/186046298" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#186046298">(Jan 19 2020 at 16:33)</a>:</h4>
<p>haha, ok</p>



<a name="186046359"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/186046359" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#186046359">(Jan 19 2020 at 16:35)</a>:</h4>
<p>Maybe our snack voting is less important :-)</p>



<a name="186050567"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/186050567" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#186050567">(Jan 19 2020 at 18:43)</a>:</h4>
<p>That isn't really what I want.  It is an idea that I saw thrown out that makes sense but I don't know what is best on the moderation front.  There is a working group for that and it'll be best to leave that to them.</p>



<a name="186050641"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/186050641" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#186050641">(Jan 19 2020 at 18:45)</a>:</h4>
<p>For me to boils down to one question, what can we do to help prevent mobs forming over security issues?</p>



<a name="186231080"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/186231080" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#186231080">(Jan 21 2020 at 21:41)</a>:</h4>
<p>FWIW, it seems like this may all have a happy ending after all: the new maintainer of Actix has reached out to us about fixing the unsoundness and filing RustSec issues for it</p>



<a name="186244984"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/186244984" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#186244984">(Jan 22 2020 at 00:52)</a>:</h4>
<p>Happy is... relative. The old maintainer being driven out of open source makes this bittersweet at best</p>



<a name="186245844"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/async%20and%20HTTP%20client%20rant/near/186245844" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/async.20and.20HTTP.20client.20rant.html#186245844">(Jan 22 2020 at 01:10)</a>:</h4>
<p>I'm just glad something good could come of it</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>